G
Guest
Hi all -
I've run into a strange issue with a customers computer. He is running W2K
Pro w/SP3. 512mb RAM. I will start with exactly what the issue is, and then
go into detail as to what lead up to this afterwards.
Basically upon bootup in normal mode, the machine proceeds to display the
desktop but then opens a wordpad instance for EVERY startup item! The wordpad
instances are simply binary with clear ascii text at the top stating "This
program cannot be run in DOS mode". The wordpad window title is the name of
the startup item trying to be executed. Example: rundll32, hp printer
applications, modem helper, etc... About 10 open up, which is about right
seeing that he has about 10 startup items.
The same happens when booting in safe mode, except the instances of wordpad
don't automatically open. One has to try execute a program, then the wordpad
will open stating "This program cannot be run in DOS mode".
In both cases of normal mode or safe mode about the only action you can take
is open My Computer and Control Panel. Even right clicking on My Computer and
selecting Properties executes wordpad and states that RunDLL32 cannot be run
in dos mode! Also, any executable files icon is changed to a wordpad icon.
Bizzare...
Ok, so last week I provided service on the computer and cleaned it up of
spyware and adware. I removed NAV 2004 and SpySweeper (both expired) and
replaced with AVG Free (temporarily) and Windows Defender. The system was
clean, booting great, no problems. I do this work for a living. The customer
used the machine for a few days without problems and then decided to switch
to BitDefender just yesterday due to an issue he had with the AVG scan engine
not detecting the Eicar test virus properly. He uninstalled AVG, installed
BitDefender, updated its defs and then ran a full scan. Apparently it
detected Trojan.HangUp in an OLD executable he had called HangUp.exe, which
used to be provided by one of our local ISP's MANY years ago. I'm not sure
what triggered my customer, but he proceeded to access what he calls DOS and
started mucking with deleting the HangUp.exe file. I asked him what he meant
by DOS. Did you use cmd.exe or command? He didn't know. He said he just tried
deleting through DOS and gave up. At that time he powered down the computer.
Later that day, yesterday, he powered it back up and started having the
issues described above. He then tried, without success, a Last Known Good
Mode and a re-install of W2KPro from the original install CD. We also tried
applying the EXE Fix reg hack from here
http://www.kellys-korner-xp.com/regs_edits/. #12 fix along the left. No go.
My gut says BitDefender caused an issue. But another piece of me wants to
say he caused an issue by doing whatever it was he did on his own while
trying to delete HangUp.exe.
Just a note. HangUp.exe is NOT a virus. In this case it was falsely detected.
Any help is GREATY appreciated
Scott
I've run into a strange issue with a customers computer. He is running W2K
Pro w/SP3. 512mb RAM. I will start with exactly what the issue is, and then
go into detail as to what lead up to this afterwards.
Basically upon bootup in normal mode, the machine proceeds to display the
desktop but then opens a wordpad instance for EVERY startup item! The wordpad
instances are simply binary with clear ascii text at the top stating "This
program cannot be run in DOS mode". The wordpad window title is the name of
the startup item trying to be executed. Example: rundll32, hp printer
applications, modem helper, etc... About 10 open up, which is about right
seeing that he has about 10 startup items.
The same happens when booting in safe mode, except the instances of wordpad
don't automatically open. One has to try execute a program, then the wordpad
will open stating "This program cannot be run in DOS mode".
In both cases of normal mode or safe mode about the only action you can take
is open My Computer and Control Panel. Even right clicking on My Computer and
selecting Properties executes wordpad and states that RunDLL32 cannot be run
in dos mode! Also, any executable files icon is changed to a wordpad icon.
Bizzare...
Ok, so last week I provided service on the computer and cleaned it up of
spyware and adware. I removed NAV 2004 and SpySweeper (both expired) and
replaced with AVG Free (temporarily) and Windows Defender. The system was
clean, booting great, no problems. I do this work for a living. The customer
used the machine for a few days without problems and then decided to switch
to BitDefender just yesterday due to an issue he had with the AVG scan engine
not detecting the Eicar test virus properly. He uninstalled AVG, installed
BitDefender, updated its defs and then ran a full scan. Apparently it
detected Trojan.HangUp in an OLD executable he had called HangUp.exe, which
used to be provided by one of our local ISP's MANY years ago. I'm not sure
what triggered my customer, but he proceeded to access what he calls DOS and
started mucking with deleting the HangUp.exe file. I asked him what he meant
by DOS. Did you use cmd.exe or command? He didn't know. He said he just tried
deleting through DOS and gave up. At that time he powered down the computer.
Later that day, yesterday, he powered it back up and started having the
issues described above. He then tried, without success, a Last Known Good
Mode and a re-install of W2KPro from the original install CD. We also tried
applying the EXE Fix reg hack from here
http://www.kellys-korner-xp.com/regs_edits/. #12 fix along the left. No go.
My gut says BitDefender caused an issue. But another piece of me wants to
say he caused an issue by doing whatever it was he did on his own while
trying to delete HangUp.exe.
Just a note. HangUp.exe is NOT a virus. In this case it was falsely detected.
Any help is GREATY appreciated
Scott